Lf y, 
ye | / j 

val / 
/ / f 7 


Lf /73+41/G mf 
Tye <u 


i fa 


The Journal of Physical Security 
Volume 13(1), 2020 


(ISSN 2157-8443) 


CLM 


ed) 


SN ~ 
— 


= 
> 
>. 
~ 
= 


Ss 
~~ 
VS 


Editor’s Comments, pages i-vi 


ohnston, "Security Assurance", pages 2-4 


ohnston, "A Vulnerability Assessor's Views on 
Election Security", pages 5- 


Table of Contents 
Journal of Physical Security, Volume 13(1), 2020 
Available at http://jps.rbsekurity.com 


Editor’s Comments, pages i-vil 
RG Johnston, “Security Assurance”, pages 2-4 


RG Johnston, “A Vulnerability Assessor’s Views on U.S. Election Security”, pages 5-7 


Journal of Physical Security 13(1), i-vi (2020) 


Editor’s Comments 


Welcome to volume 13, issue 1 of the Journal of Physical Security (JPS). Past issues of JPS 
are available at http://jps.rbsekurity.com, and you can also sign up there to be notified by 
email when a new issue becomes available. A cumulative table of contents for the years 
2004 through 2019 is available at http://rbsekurity.com/JPS Archives/grand jps TOC.pdf 


JPS is hosted by Right Brain Sekurity (RBS) as a free public service. RBS is a small 
company devoted to physical security consulting, vulnerability assessments, and R&D 


(http://rbsekurity.com). 


As the COVID-19 pandemic ascended on us in the winter of 2020, I recognized it was a 
horrifying situation. But as a silver lining, I thought many security professionals would be 
stuck at home and would therefore have more time to work on their long-planned paper for 
the Journal of Physical Security. So I sat back and waited for the anticipated flood of new 
manuscripts to arrive. And I waited. And I waited some more. Surprisingly, the flow of 
manuscripts to review slowed to a trickle! I guess everybody had other issues to deal with. 


In any event, rather than not publishing JPS at all this year, I decided to release this issue. 
There certainly has been plenty of security news to comment on (and make fun of) in the 
Editor’s comments below. And I wanted to publish two Viewpoint Papers of my own that 
cover some important issues that have come up recently. 


Finally, given that this is largely a narcissistic issue of JPS anyway, I thought I would plug 
my new book, “Vulnerability Assessment: The Missing Manual for the Missing Link”. I’m 
doing this despite the fact that we don’t really do advertisements in JPS. There are 3 main 
reasons why we ordinarily don’t run ads: 


1. I think it is kind of cheesy when “scholarly” journals—as opposed to trade journals— 
run ads. 


2. Often, JPS papers challenge conventional approaches to security and this would be 
discordant with the hype, spin, and boosterism so often associated with security sales 
pitches. 


3. JPS hasn't solicited advertisements, and no company has ever approached JPS with 
interest in running an advertisement, anyway. 


I don't feel too guilty about this one-time, shameless plug of my own book given that I 
have volunteered as the editor of JPS for the past 16 years. It’s a lot of work, and I do it 
without compensation—unless you count, as I do, numerous expressions of sincere 
gratitude from grateful readers and authors. Besides my book truly is unique—there’s 
nothing out there like it—and most people who have read it seem to have found it of value. 


Journal of Physical Security 13(1), i-vi (2020) 
KKK 


Heists 


Bloomberg Businessweek had an interesting issue (July 6, 2020) devoted entirely to 
Heists. 


KKK 


Third Time is the Charm 


A Frans Hals masterpiece was stolen from a museum again. Here are other interesting 
articles on museum theft, plus a podcast: Article 1. Article 2. Podcast. 


KKK 


Euro-Trash 


There’s a cute hack for defeating Aldi-type European shopping cart locks that require a 
coin. 


KKK 
Hacking Anti-Porch-Pirate Technology 


Marc Weber Tobias has been up to his usual (good) mischief. Also, check out his 
outstanding, informative security web page. 


KKK 
Cashing Out 


Anew kind of ATM attack: https://www.wired.com /story /thieves-are-emptying-atms- 


using-a-new-form-of-jackpotting/ 


KKK 


Let’s Just Face It 


Here are some provocative and troubling articles on problems, issues, and vulnerabilities 
associated with facial recognition biometrics. 


ferent: Jed: to-a-false-arrest-in-michig 


ii 


Journal of Physical Security 13(1), i-vi (2020) 


https://nymag.com/intelligencer/2020/01/why-we-should-ban-facial-recognition-technology.html 


https://onezero.medium.com/the-tools-to-defeat-facial-recognition-are-free-online-a48a36e90c91 


KKK 


Buy O’Metrics 


Space Technologies has a good web page discussing biometric apps, including a nice, 
succinct summary of 10 different kinds of biometrics near the bottom of the page. 


KKK 


Don’t Pass Along the Boarding Pass 


Don’t leave your boarding pass on the plane after the flight! It contains a lot of personal 
information that hackers can use. 


KKK 


Light Bulb Eavesdropping 


This article discusses a technique for real-time listening in on a room from the parking lot 
hundreds of feet away. 


KKKK 


More About Bugs 


Researchers have discovered that people can reduce their fear of spiders or ants by 
watching the movies “Spider-Man” or “Ant-Man”, respectively. 


Perhaps organizations and security managers can lose their fear of vulnerability 
assessments if they watched all the classic movies where vulnerability assessors are the 
heroes? 


KKK 
Psycho 
Check out these 4 thought-provoking articles on the weirdness and limitations of the 


human brain. In my experience, a lot of the cognitive and psychological issues discussed in 
these articles routinely plague security programs. Article 1, Article 2, Article 3, Article 4. 


KKK 


ili 


Journal of Physical Security 13(1), i-vi (2020) 


Going to the Dogs 


There are two interesting MythBusters episodes on countermeasures to guard dogs and 
bloodhounds: Episode 74 from May 14, 2007 and Episode 148 from October 6, 2010. 


KKKK 


Keystone Kops 


A recent CIA internal report found that the agency's poor security led to the massive 
2017 data breach. To read a news story on this report, click here. 


KKK 


Those Wacky Russkies 
A Russian tourist reportedly offered $1 million to a Tesla employee to sabotage Tesla. 


Tesla is believed to have a good Security Culture, which may be responsible for why the plot 
was uncovered. 


KK 
Better Inertial Guidance 


Check out this article about how the Air Force may have a magnetic replacement for GPS, 
which has long had various kinds of vulnerability and engineering issues. 


I wonder how far we are from a purely internal inertial monitoring chip that can report 
position sufficiently accurately with zero external input, other than the 3D acceleration it 
experiences. Current accelerometers/gyroscopes based on lasers, like those used on 
passenger airplanes for inertial guidance, or atom interferometers are pretty good but are 
currently too big, complex, expensive, and insufficiently accurate. 


KKK 


Pepsi Classic Error 


A blunder at the Pepsi bottling plant in the Philippines in 1992 made 600,000 people 
mistakenly think they had won a large sum of money in a Pepsi contest. Chaos ensued. 


KKK 


Journal of Physical Security 13(1), i-vi (2020) 


Counterfeit Scotch I 


You can read about some new technologies for dealing with the substantial problem of 
counterfeit whisky here. 


KKK 


Counterfeit Scotch II 


It turns out that almost the entire Scots version of Wikipedia was written in a fake 
Scottish accent by a North Carolina teenager. You can read about it here. This is quite 
shocking, as everybody knows that Wikipedia is a highly scholarly, reliable reference on any 
and every topic (plus—according to my college students—being on the Internet makes any 
content automatically true). 


KKK 


Counterfeit Hawaiian 
There's an often repeated story that many tourists visiting Hawaii supposedly think that 


"Mahalo" (Thank you!) means “trash" since the word is painted on trash bins in cafes, fast 
food places, and so on. 


KKKK 
Counterfeit Welsh 
British transportation officials in 2008 sent an e-mail to a well-known Welsh Councilman 
asking for a translation for a road sign that was intended to say, “No entry for heavy goods 


vehicles.” When they got back a reply, they dutifully put up a road sign that said in Welsh, “I 
am not in the office at the moment.’ 


KKK 
Security Cameras Record an Attack 
Check out this remarkable footage from security cameras recording a malicious tornado! 
KKK 
Security Cameras Are Good for Other Things, Too 


Other benefits of security cameras can be seen here, here, and also here. 


Journal of Physical Security 13(1), i-vi (2020) 


KKK 


Undercover Assignment 


It has been revealed that supermodel Claudia Schiffer used to require security guards to 
stand watch over her underwear, as it was frequently stolen. I suppose it beats having to 
stand guard over nuclear material, money, or some jerk executive. For the story, click here. 


KKK 


Classic Screwups 


Read about 5 classic FBI screwups. There are so many going back over the years, that it 
must have been hard to choose. These are some of the more comical blunders but certainly 
not the most serious (like 9/11 or forensic lab fraud). 


KKK 


Life Imitates Art 


Check out the 2019 movie, “The Irishman”, directed by Martin Scorsese with a superb 
cast. It’s not just great film making, with probably the most brilliant continuous 1-shot 
Steadicam scene in the history of cinema, but it also has a scene where a truck driver palms 
the ball seal he was supposed to install on his truck, and only puts it on later after the theft. 
Pretty realistic! 


KKK 


Piety in the Movies 


While it’s not at the level of the Roman Catholic Church’s 1992 apology to Galileo (only 
350 years too late), the Vatican's official newspaper has declared, on the 30‘ anniversary of 
its release, that the 1980 comedy film, “The Blues Brothers” is a “Catholic classic” that 
should be seen by all Catholics. 


The John Landis cult classic does have a brief scene with a comically sadistic nun, and the 
claim by the protagonists that they are “on a mission from God” to save an orphanage, but 
other than that, the film seems to lack the spirituality (or at least the heavy-handed 
earnestness) of other commercial films blessed by the Church. These include Cecil B. 
DeMille’s “The Ten Commandments,” Franco Zeffirelli’s “Jesus of Nazareth”, ” Mel Gibson’s 


“The Passion of The Christ,” Victor Flemming’s “Joan of Arc,” and Frank Capra’s “It’s a 
Wonderful Life”. 


-- Roger Johnston 
Oswego, Illinois 
October 2020 


vi 


Advertisement 


Vulnerability Assessments 


The idea behind Vulnerability Assessments (VAs) is that we can’t prevent or test what we 
haven't envisioned. VAs involve imaginatively thinking like the bad guys to discover 
security weaknesses, attack scenarios, and potential countermeasures. 


VAs are often missing or poorly done. They frequently get confused with other analysis 
techniques like threat assessments, risk assessments, security surveys, security audits, pen 
testing, “red teaming”, DBT, etc. These other techniques may well be worth doing, but they 
aren't particularly good at finding vulnerabilities, attack scenarios, or countermeasures, nor 
do they typically mimic how bad guys think, unlike true VAs. Many of these techniques 
pretend that the good guys get to define the problem—when in reality, the bad guys do! 


But if you want to do a good job with Vulnerability Assessments, there is little in the 
literature to provide practical advice on how to do them effectively, creatively, and 
proactively. Thus the need for this new, totally unique book, based on the author’s 30+ 
years of experience as a Vulnerability Assessor for many different kinds of security. 


Vulnerability Assessment: The Missing Manual for the Missing Link 


The Missing Manual for the Missing Link 


Available as a book or ebook on Amazon: https://www.amazon.com/dp/BO8C9D73Z9 


Here are 3 lively, previously recorded Interviews/Webinars on various topics in the book including VAs, 
insider threat mitigation, and security assurance: 
https://youtu.be/KesyK1KKMHk 
https: //tinyurl.com/y6ha9hyc 
https://tinyurl.com/y4e4afl4 


Other books by this author - Security Sound Bites: Important Ideas About Security From 
Smart-Ass, Dumb-Ass, and Kick-Ass Quotations (which Security Magazine called 
"Fascinating...Full of thought triggers") and Devil’s Dictionary of Security Terms 


Journal of Physical Security 13(1), 2-4 (2020) 


Viewpoint Paper 


Security Assurance* 


Roger G. Johnston, Ph.D., CPP 
http: //rbsekurity.com 


If you look for truth, you may find comfort in the end; if you look for 
comfort you will get neither truth nor comfort...only soft soap and 
wishful thinking to begin, and in the end, despair. 

-- C.S. Lewis (1898-1963) 


Security Assurance is gaining confidence that our security has a good probability of handling 
the threats we face, and that we are not wasting money in doing so. 


I would argue that Security Assurance is something that often must be provided to stake- 
holders (including taxpayers) and the organization’s leadership, but should not be part of a 
security program or security strategy per se. Confidence in security is always over-confidence, if 
not arrogance and complacency. I don’t want security managers and others who provide security 
to be assured; I want them to be sweating bullets. That is simply the dismal nature of Security. 
The old adage has it right: “If you are happy with your security, so are the bad guys.” 


Security managers and security programs should seek to optimize their security through 
prudent Risk Management, but they should not seek dubious comfort from bogus confirmation 
that everything is swell. Do a good job with the Risk Management on a continuing basis, and 
you have done all you can do to have good security. Forget about the assurance part. 


Good Risk Management requires, among other things, data inputs from Vulnerability 
Assessments (which are often missing [1]); Threat Assessments; and Risk Assessments; along 
with information about the organization’s budget, resources, and appetite for risk; the assets 
needing protection; and the possible long- and short-term consequences of security failures. 
Good Risk Management also requires sound judgement, prescience, an ability to balance 
tradeoffs, prudent value judgements, objective and quantitative analysis, subjective and 
qualitative analysis, and the ability to leverage hunches and sound intuition. I personally believe 
it should also include something like Marginal Analysis [1]. 


*This paper was not peer reviewed. 


Journal of Physical Security 13(1), 2-4 (2020) 


Now it must be said that the need to provide “assurance” to stakeholders and organizational 
leaders is largely unavoidable. This is, however, more about marketing/fund-raising, public 
relations, educating stakeholders about security issues, and making return-on-investment (ROT) 
arguments than it is about security per se. Certainly the stakeholders (being security amateurs) 
can be provided with a simplified discussion of the Risk Management that has been under-taken, 
and why certain decisions were made based on recognized threats, vulnerabilities, attack 
scenarios, and possible consequences of attacks. High-level executives can be warned about 
what happened to other organizations and their executives when the organizations were attacked 
and lacked adequate security measures. 


Two caveats here, however. Firstly, ROI—arguing that security expenditure returns value— 
has proven to be very ineffective. High-level corporate and government executives are often 
highly unimaginative, or else quite willing to live with substantial security risk for the few years 
they have left before retiring, being fired, or moving to a more prestigious position elsewhere. 
The odds are that the bad security incidents being envisioned won’t happen on their watch. Even 
if they do, there are plenty of scapegoats that can be named, including the CSO, CISO, and 
lower-level people. Better to increase corporate profitability, the executives may reason, at least 
from the standpoint of their personal interests and reputation. 


The second caveat is that scaring executives about bad consequences of potential security 
failures or actual failures that happened elsewhere can work, but crying wolf too many times 
undercuts its effectiveness. 


One thing that is crystal-clear about Security Assurance is that it must never be based on the 
results of Vulnerability Assessments (VAs). If it is, there will be enormous pressure (conscious 
and unconscious) to not find vulnerabilities in order to gain a false sense of security. This will 
result in both bad VAs and bad security. 


For similar reasons, security testing must never be used for Security Assurance. (Note that 
Security Testing is NOT the same thing as Vulnerability Assessments.[1]). We learn the most 
from Security Tests when we fail them, but if they are the source of confidence in our security, 
the tests will most likely no longer be made relevant or challenging. Moreover, we can’t really 
test what we have not envisioned—thus the need for imaginative, proactive VAs where we think 
like the bad guys. Testing also has other serious limitations such as the difficulty of making the 
tests realistic, and the fact that testing can look at only a small fraction of the possible 
vulnerabilities, attack scenarios, and countermeasures that an imaginative VA can uncover. 


In my view, Security Testing should mostly be for practice and to keep front-line security 
personnel entertained and engaged. Tests can help us somewhat understand our vulnerabilities, 
but they are not nearly as effective at this as a good Vulnerability Assessment. 


Journal of Physical Security 13(1), 2-4 (2020) 


In summary, I think we need to worry less about Security Assurance and do a better job with 
Risk Management, including doing more and better Vulnerability Assessments. We also need to 
avoid confusing VAs with other techniques that are not as good at uncovering vulnerabilities, 
attacks scenarios, and possible countermeasures. 


References 


1. RG Johnston, Vulnerability Assessment: The Missing Manual for the Missing Link, https:// 
www.amazon.com/dp/BO08C9D73Z9 


Journal of Physical Security 13(1), 5-7 (2020) 


Viewpoint Paper 
A Vulnerability Assessor’s Views on U.S. Election Security* 


Roger G. Johnston, Ph.D., CPP 
http: //rbsekurity.com 


Based on 30+ years of being a Vulnerability Assessor for a wide variety of security 
applications, doing multiple formal and informal Vulnerability Assessments on various election 
jurisdictions and observing others, demonstrating attacks on voting machines, and having been a 
local election judge for a number of elections, here are some observations and views that I can 
offer about election security in the United States: 


1. In my view, vote-by-mail is likely to be more secure, not less, than in-person voting. There 
are fewer insiders to worry about—not that election jurisdictions (or other organizations for that 
matter) do enough to mitigate the insider threat. (They often fail to deploy various easy and low- 
cost countermeasures.) Moreover, vote-by-mail automatically requires a paper Voter Verified 
Record, the lack of which severely compromises election security in some states. An additional 
factor is that many election jurisdictions do vote-by-mail using optical scanning, which is 
theoretically more secure than other methods, though it must be said that few election 
jurisdictions seem to optimize the security of optical scanners or optical scanning procedures. 


2. Election officials (including election judges) need serious training/practice on handwriting 
comparison, and access to handwriting experts, regardless of the voting scheme. Only a fraction 
of election jurisdictions do the former. 


3. Elections in any form are generally more secure when there is large voter turnout because 
more votes have to be stolen and the conspiracy needs to be larger, increasing the chances of 
getting caught. (This is different from many other kinds of security applications where more 
volume means /ess security.) Vote-by-mail may increase voter participation. 


4. Large voter turnout tends to occur in close elections where the most is at stake and people care 
the most. Thus, election security effectiveness tends to scale with importance of the election, 
which is a good thing. 


5. The Security Culture seems to be poor in most U.S. election jurisdictions, making it difficult 
to have good security regardless of the type of voting being done. 


6. The use of tamper-indicating seals seems to be poor to comically inept in most election 


*This paper was not peer reviewed. 


Journal of Physical Security 13(1), 5-7 (2020) 


jurisdictions. It would not be particularly difficult or expensive to remedy this if the jurisdictions 
cared to do so. Also, the locks and “secure” containers in use are often trivial to defeat. 


7. Cyber attacks on voting systems are often the focus, but physical and electronic attacks are 
much easier and require less sophistication—though they do require physical access for a minute 
or two. That is typically no problem. 


8. The physical security at most election jurisdictions appears to be fairly poor, especially at 
election warehouses. 


9. Current testing of voting machines for tampering is totally ineffective for detecting cyber 
attacks, and especially for detecting physical/electronic attacks. 


10. Both the strength and the weakness of the U.S. electoral system is that the 8,000 to 10,000 
election jurisdictions in the United States mostly do things their own way, with little guidance 
from the federal government, and often minimal guidance from the state government. This 
makes it very challenging for an adversary to steal a national election by tampering with votes 
and voting machines, but it also means some jurisdictions make it very easy to tamper with votes 
and voting machines locally because of the wacky way they do things using election officials 
who are almost always security amateurs. 


11. Stealing a local election by tampering with votes and voting machines is probably fairly easy 
in most election jurisdictions, but tampering on a national scale is very unlikely to succeed. The 
one caveat is that in very close elections, it might be possible for an adversary to identify the 
small number of local election jurisdictions that need to be attacked to sway the national results. 
This requires accurate polls at the state, county, and city level, but recent polling for Presidential 
elections has not been particularly accurate. 


12. Selecting the President by popular vote instead of by the Electoral College would greatly 
improve election security (and make the choice more representative of the voters’ will). 


13. For the November 2020 election, at least 11 states and the District of Columbia allow some 
form of ballot tracking. This is generally going to be a good security practice. Ballot tracking 
allows voters to go online to check on the status of their vote, and to see if someone has 
requested a ballot or voted a ballot in their name. The United States Postal Service also allows 
mail tracking so that a voter can monitor the status of a ballot being mailed to him or her. 


14. Beyond penalties for vote tampering, an adversary tampering with vote-by-mail ballots may 
face serious charges of mail fraud, theft, and trespassing. 


15. Election jurisdictions that require a ballot request before mailing a ballot to the voter 
probably have slightly better security than election jurisdictions that automatically mail ballots to 
all registered voters, though I suspect the difference in security is currently marginal. 


Journal of Physical Security 13(1), 5-7 (2020) 


16. Vote-by-mail clearly requires there to be a random virtual numeric token attached to the 
ballot sleeve or envelope that is mailed back by the voter. This is simply a randomized number 
(or barcode) that an adversary cannot guess which shows that the ballot is legitimate. A fake or 
counterfeit ballot would lack the correct number. This random virtual numeric token is one-time 
use and must be different for every voter and different in each new election. It can be a hash 
derived from the voter’s name or voter ID number, though hashes have been broken before. A 
better approach is to generate a random number using a pseudo-random number generator— 
though this needs to be frequently reseeded by a hardware-generated random number. The 
database of the numeric tokens for each voter must, of course, be kept secure. 


17. Some election officials are considering specialty ballot paper and/or secret marks on the 
ballots to indicated ballot authenticity. I am skeptical of this approach because few jurisdictions 
can afford this or the analysis hardware, or have the time to analyze more than a very small 
percentage of ballots. Moreover, I know from first-hand experience that secret marks are 
difficult to keep hidden or secret, and that counterfeiting security technology is often much easier 
than people, manufacturers, and vendors assume. More the point, I have repeatedly found it to 
be quite easy to simply mimic the one or small number of physical or optical properties being 
measured to check for authenticity. And the devices (“readers”) used to read the relevant 
properties can usually be easily and quickly tampered with. 


18. Mail-in-ballots (and the ballot envelopes) can always be analyzed for fingerprints and DNA 
should a serious inquiry be necessary as to the authenticity of certain ballots. 


19. One of the disadvantages of vote-by-mail is that the identity of the voter and how he/she 
voted are connected for a much longer period of time than for in-person voting. This may 
negatively impact privacy—a citizen’s right to vote in secret. I think this is a relatively minor 
risk, and of less concern than election security. 


20. Why should an adversary risk tampering with votes and voting machines (especially at the 
national level) when this is illegal, at least in theory? It is much easier, safer, cheaper, and likely 
more effective, to do some or all of the following: 
a. Voter Suppression—generally legal and rarely punished politically by the voters. 
b. Voter Intimidation—technically illegal in many election jurisdictions but rarely prosecuted. 
c. Misinformation and Conspiracy Theories via Social Media—totally legal and quite 
effective. Done well by U.S. citizens, fairly well by the Russians, and ineptly by China and Iran. 
d. Sow Chaos, Discord, Disillusionment, and Cynicism to Discourage Voting—a kind of Voter 
Suppression. Seemingly done fairly well by U.S. citizens and the Russians. 


21. For more suggestions on election security, see https://tinyurl.com/ya3djg4t 
For practical tips on improving any kind of security, see https://www.amazon.com/dp/ 
BO8C9D73Z9 


